The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Policy control systems for a large number of resources generally require a method of mapping different policies to different resources and enforcing those policies when a request for resources is received. For instance, if a server computer implements a row-based access control system in a database, the system must be able to respond to a query by a user with only the rows a user is allowed to access.
One method of implementing a policy control system involves post-filtering results of a search query. For instance, after a query is run against a database, the results may be filtered to remove each resource that a user is not allowed to access. While post-filtering is effective at only returning resources a user is allowed to access, post-filtering becomes extremely inefficient in many cases, such as with sparse data. When a user is only allowed to view a relatively small number of rows, applying the post-filtering process could include paging through a large number of identified resources in order to return only a small number of resources. Additionally, post-filtering steps may not be possible when performing aggregations when a user has access to only a limited number of rows.
A second method of implementing a policy control system which is more efficient than post-processing is pre-processing the data repository to determine which resources a user can access and passing data identifying the resources to a query processor as additional elements in a query. One way to accomplish pre-processing of a search query in a hierarchical system is to store a node-based graph where each node identifies a resource and a policy for that resource. When a query is performed, the node-based graph may be traversed to identify each resource that the user requesting the query is allowed to access. Identifiers for each of the resources may then be passed to the query processor.
An inefficiency of passing identifiers of each resource a user is allowed to access to a query processor is that a large number of resources may share the same policy. For instance, a particular folder may contain a thousand documents, each of which contain a null policy. Sending identifiers for each document is inefficient when each document is capable of being treated interchangeably.
In order to reduce the amount of data sent to the query processor as a pre-filter, a server computer may use effective policy identifiers to de-duplicate data being passed to the query processor. In the example of the folder containing a thousand documents, each document may be assigned the same effective policy identifier, thereby allowing only the effective policy identifier to be passed to the query processor instead of identifiers of a thousand documents. The meaning of each effective policy identifier is based on the policies of every resource that is above the assigned resource in a hierarchical system. For instance, any change to the read privileges for a higher-level folder would affect the read privileges of a document in a lower level folder within the higher-level folder.
One difficulty in assigning effective policy identifiers is determining a method of assigning effective policy identifiers that factors in the node's position on the graph and is less susceptible to changes higher up in the node-based graph. For instance, a method of assigning effective policy identifiers could include concatenating the policies of a node and all of its parents, and mapping them to an integer. While this method factors in the node's position on the graph and de-duplicates multiple effective policy identifiers for resources on the same level, it is extremely susceptible to changes higher up in the graph. If a root node is updated, every effective policy mapping for every descendent of that root node would have to be updated and remapped to the associated nodes.
Thus, there is a need for a system that generates effective policy identifiers in a manner that factors in a node's position on a node-based graph while being less susceptible to changes higher up in the node-based graph.